AF
Ash Framework•2mo ago
Shahryar

Claim tenant did not pass validation in multitenancy

Hi, i have multi tendency in my project which let user no tendency or based on his host and put it inside plug For example 
 def call(conn, opts) do
   ...
      {tenant, x_tenant} =
        if check_explicit_no_tenant(conn), do: {nil, "none"}, else: {site.id, site.id}

      conn
      |> Ash.PlugHelpers.set_tenant(tenant)
      |> put_resp_header("x-tenant-id", x_tenant)
      |> assign(:current_site, site)
end
 def call(conn, opts) do
   ...
      {tenant, x_tenant} =
        if check_explicit_no_tenant(conn), do: {nil, "none"}, else: {site.id, site.id}

      conn
      |> Ash.PlugHelpers.set_tenant(tenant)
      |> put_resp_header("x-tenant-id", x_tenant)
      |> assign(:current_site, site)
end
Many actions works with it but when i want to generate token, i have a problem For example if the tenant is nil i have no problem but if i pass tendency i get this debug 
[debug] Claim %{"tenant" => "699debb0-9606-44d3-b824-c6763405cc34"} did not pass validation.
Current time: 1755167657
[debug] forbidden: Forbidden | forbidden
[debug] Claim %{"tenant" => "699debb0-9606-44d3-b824-c6763405cc34"} did not pass validation.
Current time: 1755167657
[debug] forbidden: Forbidden | forbidden
for bypass this in sign_in_with_password after i get my data i force it to have tendency nil 
read :sign_in_with_password do
    description "Attempt to sign in using a email and password."
    get? true

    ...

    prepare fn query, _context ->
    query = Ash.Query.set_context(query, %{private: %{ash_authentication?: true}})
    current_tenant = query.tenant

    query =
        if current_tenant,
        do: Ash.Query.filter(query, site_id == ^current_tenant),
        else: Ash.Query.filter(query, is_nil(site_id))

    query |> Ash.Query.load(:site)
    # To make sure all tokens is from none tenant
    Ash.Query.set_tenant(query, nil)
    end

    # validates the provided email and password and generates a token
    prepare AshAuthentication.Strategy.Password.SignInPreparation

  ...
end
read :sign_in_with_password do
    description "Attempt to sign in using a email and password."
    get? true

    ...

    prepare fn query, _context ->
    query = Ash.Query.set_context(query, %{private: %{ash_authentication?: true}})
    current_tenant = query.tenant

    query =
        if current_tenant,
        do: Ash.Query.filter(query, site_id == ^current_tenant),
        else: Ash.Query.filter(query, is_nil(site_id))

    query |> Ash.Query.load(:site)
    # To make sure all tokens is from none tenant
    Ash.Query.set_tenant(query, nil)
    end

    # validates the provided email and password and generates a token
    prepare AshAuthentication.Strategy.Password.SignInPreparation

  ...
end
As you see i did like this Ash.Query.set_tenant(query, nil), but i do not want to do this, where is my problem? By the way my user can with nil tenant (master account) or can be with a site and i check the tenant id is same in my db and ets Master: 
{
  ...
  "purpose": "user",
  "tenant": null
}
{
  ...
  "purpose": "user",
  "tenant": null
}
normal: 
{
  ...
  "purpose": "user",
  "tenant": id..
}
{
  ...
  "purpose": "user",
  "tenant": id..
}
Thank you in advance
Solution:
Thank you there were some problems in my custom plug 🫄 🚬
Jump to solution
3 Replies
Shahryar
ShahryarOP•2mo ago
I think it is from my api pipeline and custom plug! 🤔 because it is loaded after plug :load_from_bearer 
pipeline :api do
    plug :accepts, ["json"]
    plug :load_from_bearer
    plug :set_actor, :user
    plug MishkaCms.Runtime.Plugs.ApiTenantLookupPlug
  end
pipeline :api do
    plug :accepts, ["json"]
    plug :load_from_bearer
    plug :set_actor, :user
    plug MishkaCms.Runtime.Plugs.ApiTenantLookupPlug
  end
Or if is there an option to disable tendency in creating token,, i think it fixes my problem https://hexdocs.pm/ash_authentication/dsl-ashauthentication.html#authentication-tokens
ZachDaniel
ZachDaniel•2mo ago
You can look up the tenant before loading the token
Solution
Shahryar
Shahryar•2mo ago
Thank you there were some problems in my custom plug 🫄 🚬

Did you find this page helpful?